[ar:Grant Bugher]
[al:Def Con 24 Hacking Conference]
[ti:Bypassing Captive Portals and Limited Networks]
[au:Grant Bugher]
[by: DEF CON Communications (https://www.defcon.org)]
[00:00:01.00]
So if you've been
hanging around in track one all
day like I have, um so far we
[00:00:06.20]
have learnt how to overthrow a
government and cause mass
anarchy, umm then we learnt how
[00:00:12.00]
to create survival tools after
you've created the anarchy but
just speaking more generally I
[00:00:17.23]
think we're gonna learn
something here that is practical
which is umm, bypassing captive
[00:00:22.23]
portals [audience applaud] which
very clearly people have some
interest in. So let's give Grant
[00:00:28.03]
a big round of applause and our
laptop loaner. [audience applaud
and indistinct dialogue]
[00:00:33.03]
[00:00:40.23]
Alright, uh hello everybody. I'm
going to have to go pretty
quickly because I've only got
[00:00:43.90]
about 15 mins here so um, first
of all a bit about myself but
not very much. I've been hacking
[00:00:50.20]
and coding for a long time and I
like giving talks at Defcon and
I'm a generalist in security;
[00:00:56.73]
I've done various programming,
infrastructure etc. Um, I also
have Perimeter Grid which is my
[00:01:02.70]
security blog and personal
consultant. Uh, a few
disclaimers. Um, this is my own
[00:01:08.20]
research, I have an employer,
this talk has nothing to do with
him. Uh, also this talk was
[00:01:13.50]
submitted to Defcon 101. They
put me in the big room because
they thought a lot of people
[00:01:17.30]
would be interested and looking
at this room, it seems they were
right. Uh but nevertheless
[00:01:21.03]
unless you're a professional
ping tester you're going to be
bored. This is not dropping
[00:01:24.40]
great new attacks, this is
showing how to you can use some
existing tools. And finally, in
[00:01:28.93]
the United States, doing any of
this stuff on a network you are
not authorised access is super
[00:01:32.93]
illegal. Uh, so captive portals.
Uh captive portals are a very
primitive type of network access
[00:01:38.80]
protection and they consist of
an open network either Ethernet,
[indistinct] docsis or open
[00:01:42.87]
wifi, usually open wifi and on
initial join you can only go to
one website, the captive portal
[00:01:48.10]
and it doesn't let you in to
anything else and then that
limited website can authorise
[00:01:51.83]
access to more. So you've seen
these everywhere, uh every
store, office, restaurant, wifi,
[00:01:56.90]
hotel and airline internet, uh
guest networks at corporations
and even some telecom networks
[00:02:01.80]
like subscriptions hotspots. Uh,
these are not real network
access protection, they're not
[00:02:06.73]
using 802.1x, they're not using
real cryptography, um they are
attempting to put a small
[00:02:12.70]
barrier in front of you that
they hope you don't know the way
around and as a result they
[00:02:17.97]
don't have a real security
boundary and they're pretty easy
to circumvent. They rely on
[00:02:22.53]
obedient network clients,
network clients that are going
to uh, that are going to behave
[00:02:25.80]
the way network clients normally
do. Um they uh usu- they're
either an authenticated proxy or
[00:02:31.67]
mac filtering on the gateway,
usually mac filtering on the
gateway, governed with IP tape
[00:02:35.70]
rules, tables rules. There's
very little variety in these,
they may look all different um
[00:02:41.10]
but there is a piece of open
source software called
Chillispot that's built into
[00:02:44.13]
open WRT it's available in most
Linux package managers; um it
requires you to have a web
[00:02:50.00]
server and a RADIUS server, if
you want to authenticate users.
Uh it's fairly easy to set up
[00:02:55.00]
and uh basically everything's
just Chillispot – Worldspot.net,
Hotspot Systems, Sputnik, Hot
[00:03:00.77]
Spot Express, Wifi Soft,
SkyRove, ...uh they're all just
Chillispot. Uh if they not
[00:03:05.83]
Chillispot, they are for all
intents and purposes a
Chillispot clone, to the point
[00:03:10.13]
that I can't tell the difference
just looking at the software
from the outside. Um in addition
[00:03:15.37]
even if it isn't Chillispot, it
basically still is. It's still a
website writing IPtables rules.
[00:03:20.47]
So if you want to be able to get
around this you actually need to
do some advanced preparation,
[00:03:24.63]
you need to have an end point
that you can tunnel your traffic
to and so tunnelling is just
[00:03:30.03]
moving one protocol via another,
uh usually you'd use an
encrypted protocol but you
[00:03:33.97]
wouldn't have. You can, you can
use a completely clear text
tunnel um but you'd need some
[00:03:38.40]
server to act as the other end
of your tunnel. And that means
you needs a port, a protocol
[00:03:43.30]
that the captive portal isn't
blocking. So sometimes HTTPS and
SSH are unblocked on specific
[00:03:48.90]
the ports; uh in addition DNS is
basically always unblocked
because of DNS recursion. You
[00:03:53.80]
can reach the local DNS and it
would then proxy your DNS
queries out to the internet. So
[00:03:59.50]
we need to set up a server, any
internet accessible server, any
cheap VPS that lets you control
[00:04:04.23]
all ports, we'll use, uh will
work. So you can't use a like uh
uh shared web host account cos
[00:04:08.73]
you usually get 80 and 443. Uh
you can even use your home pc if
you wanna open these ports to
[00:04:13.63]
the internet on it which I don't
think is a great idea because
you can get a cheap or free AWS
[00:04:18.33]
or Azure node from and just let
Amazon or Microsoft provide you
your end point. Um so some end
[00:04:24.07]
points you wanna set up HTTPS
proxy, SSH and Iodine which
we'll talk a little more about
[00:04:30.10]
and also be sure you open the
ports you set up on your server
cyber wall. So any decent VPS
[00:04:36.33]
will come with SSH enabled so uh
go ahead and add port 3128 to
that as well as any other ports
[00:04:42.17]
you might think is useful to
connect to. Uh depending on the
specific captive portals you are
[00:04:46.73]
after the ports available may be
different. Uh while you're at
it, disable insecure logons on
[00:04:51.20]
SSH just because you should do
that anyway and ensure you have
a public key available so you're
[00:04:56.07]
not doing password log in. Um so
Google app engine, Google uses a
front door service. All Google
[00:05:01.83]
services are behind the same IP,
so if the captive portal allows
access to Google it also allows
[00:05:06.97]
access to Google app engine
which means you can run your
proxy behind Google's front door
[00:05:11.33]
and the same um uh the same
access the captive portal is
using to download ads will also
[00:05:17.13]
let you get to your tunnel. So
you just get your app engine
account, install Python and the
[00:05:21.07]
app engine SDK and uh you can
find code online uh like the
peace offer called Mirrorrr,
[00:05:26.67]
with 3 R's, that is an app
engine compatible Python proxy,
uh just go ahead and put that in
[00:05:32.13]
there and you can now browse to
your app-id.appspot.com and get
to your own proxy. Uh then
[00:05:37.13]
[00:05:40.13]
there's this peace offer called
Iodine. Iodine is IP over DNS
and there are several IP over
[00:05:44.90]
DNS packages. I like Iodine
because it is actually still
supported and it works on
[00:05:48.67]
Windows which is not the case
for most of them. Um, so on your
VPS you install Iodine and you
[00:05:54.73]
then you run it as route with uh
password you make up and a
subdomain that is going to be
[00:06:00.27]
used to forward DNS queries to
you. On your DNS server uh you
need to create a custom record
[00:06:06.50]
for the sub domain and look for
the name server. It's like mine
is t.perimetergrid.com so I
[00:06:10.80]
created a DNS record for NS, the
name server t.perimetergrid.com
and then I create a name server
[00:06:16.53]
record uh pointing back there so
now DNS queries on the Internet
to t.perimetrgrid.com will go to
[00:06:22.53]
my Iodine install. And if you
don't have an DNS server,
Namecheap free DNS is free,
[00:06:27.23]
Amazon Route 53 isn't free but
is also configurable so you can
use those. Uh finally you may
[00:06:32.60]
wanna set up a HTTPS proxy, it's
kinda low value, most captive
portals are too smart for, to
[00:06:38.63]
fall for this but um if you have
a network that allows web
traffic and not other traffic,
[00:06:44.00]
this can be useful as a way to
tunnel other protocols. So then
you need to prepare your client,
[00:06:49.87]
the laptop you're gonna actually
use when you're wanting to do a
bypass so on a hustle network
[00:06:53.63]
you're not going to have
Internet so that means you're
going to have to set all this up
[00:06:56.50]
before you're on a restricted
network. Uh ideally you're gonna
use Linux or Kali, um but
[00:07:01.67]
Windows will actually work fine
for most of these, the only
thing it won't is potentially
[00:07:05.93]
MAC changing. Uh most Windows
drivers don't support changing
the MAC address of your card uh
[00:07:10.03]
but there are some USB network
cards with great support for
windows like the Alpha networks
[00:07:13.83]
card with Realtek and Atheros
chip sets which by the way you
can get down in the Defcon
[00:07:18.10]
vendor room, I, I, uh bought a
lot of them there. Um and you
can always run Linux or Kali in
[00:07:23.77]
HyperV or VirtualBox and make
use of your uh, of it that way.
Um preinstalled tools, you need
[00:07:28.77]
[00:07:31.17]
an SSH client. Linux has it
built in. If you're on Windows,
I like moba x term, you can use
[00:07:34.97]
putty or whatever you want, uh a
copy of Iodine, uh Wireshark on
Windows or Aircrack-NG if you're
[00:07:40.67]
on Linux, nmap and an HTTP
[indistinct] proxy would be
nice. Uh none of the bypasses I
[00:07:46.30]
go through in this talk use that
but uh sometimes you can
actually take advantage of thee
[00:07:51.23]
the captive portal itself, they
have bugs in them. Uh so then we
get to uh ok uh what do we do
[00:07:58.17]
when we want to uh actually
exploit this. So you're on a
network with a captive portal.
[00:08:03.17]
First thing you wanna do is, use
ipconfig or ifconfig on Linux,
see your current IP and find out
[00:08:07.97]
what the gateway is, so once you
know what the gateway is, uh go
ahead and use a MAC to see
[00:08:12.90]
what's on your local subnet, see
what's on the gateway. Um,
you're looking on the gateway
[00:08:17.23]
for uh proxies uh TCP to 3128
which is the default port for
Squid is always
[00:08:22.03]
promising um but there are uh,
it could be on any port really,
they can tap into whatever they
[00:08:26.97]
want. Also look to see if there
is DNS um there almost certainly
is, uh and any other unknown
[00:08:33.00]
ports that you might wanna try
sending traffic to in case
they're a proxy. So try
[00:08:37.77]
connecting to possible proxy
ports, try connecting to your
server through them uh over port
[00:08:42.33]
numbers open on the gateway. Now
admittedly that should never
work just cos the ports open on
[00:08:45.87]
the gateway doesn't mean it
should be open to anything else,
uh but sometimes it does work.
[00:08:48.60]
Uh it was well known for a while
that this worked on GoGo
Inflight, um they have fixed
[00:08:50.60]
that but, um that, that was a
vulnerability in a well-known
hotspot service. So then try
[00:08:52.60]
setting your proxy to your app
engine end point, um, if the
captive portal is app supported
[00:08:54.60]
this would probably work. If
it's not app supported though
umm, then uh this doesn't always
[00:08:56.60]
work. So then try DNS lookups.
Umm, this is the most reliable
method and if a DNS lookup
[00:08:58.60]
works, then try looking up your
Iodine domain um so if you have
a route to a working proxy
[00:09:01.60]
whether an app engine or your
server or the gateways, you're
done. Configure your browser and
[00:09:06.60]
[00:09:13.37]
you're out. Otherwise you can
sshd your server through any of
those ports, do that and then do
[00:09:20.23]
an ssh -d which creates a local
SOCKS proxy on your computer
that routes through that tunnel
[00:09:25.23]
[00:09:37.07]
and configure your browser to go
through there. Uh if you can
look up your Iodine DNS then
[00:09:42.17]
just run Iodine with the
appropriate password and
subdomain and now you got a
[00:09:45.97]
tunnel out and through that
tunnel you SSH and do the proxy
so you're using your own tunnel
[00:09:51.70]
to get out. And I'll demo this
one, uh and then finally you
need to fix your routing to
[00:09:56.67]
point through the new tunnel.
Um, if you're using ssh -d,
that's actually the easiest way
[00:10:00.93]
to do it, just point to the
SOCKS proxy and do it that way.
Alternately though you can
[00:10:05.93]
actually edit the route table on
your proxy to make your new
default route go through the
[00:10:10.23]
tunnel and at that point,
everything works through it.
Um... alright if nothing else
[00:10:16.30]
fails or nothing else works
rather, um Chillispot is just
configuring MAC filters so our
[00:10:21.63]
last ditch way through is using
Airodump NG to uh watch the
traffic and look for a MAC
[00:10:27.60]
address that is in use for a
while and then stops being used.
That's probably someone who
[00:10:32.30]
accessed the captive portal and
then shut their laptop off. So
you just clone your MAC address
[00:10:37.60]
to that MAC address and jump on
the network and you're already
allowed through the IP filters.
[00:10:42.27]
Um, you wanna look for a network
someone stopped using because if
you and someone else are both
[00:10:46.57]
using the same MAC address,
everytime one of you transmits,
you'll deauth the other and so
[00:10:50.87]
your network kinda activity will
be absolutely horrible. Um, it
can work but it's going to be
[00:10:55.83]
really slow. Um on Windows you
can use Wireshark instead of
Airodump NG, um, and you can
[00:11:02.23]
look in device manager and try
to change mac addresses. As I
mentioned earlier, most Windows
[00:11:06.20]
adapters don't support that. Um
so I'm gonna give quick demos of
these and hopefully have at
[00:11:12.67]
least a couple of minutes for
questions. So, hopefully this
will play... it will. Ok, so I
[00:11:18.50]
get on my Wifi at my super
expensive hotel and I want to go
and google for food but the
[00:11:24.57]
super expensive hotel has
state-of-the-art, blistering
fast 256 kilobit 802.11B for
[00:11:29.43]
only $29.95 per 24 hour period
limit 2 devices, just give them
my mobile phone, date of birth,
[00:11:35.03]
my mother's maiden name, credit
card number, social security
number and uh uh I don't think I
[00:11:39.47]
wanna do that so uh I'm gonna go
over to my command prompt and do
an ifconfig and I see I'm on a
[00:11:45.53]
on a 10. network and check the
routing cable and the gateway is
10.0.0.1, just like I'd expect
[00:11:51.03]
so I'm going to nmap 10.0.0.1
and see what's on the gateway.
Uh they've got 22 23 53 80 52 80
[00:11:57.80]
so I would try SSH-ing or uh
just or HTTPS-ing to my local
server or my app engine through
[00:12:02.80]
[00:12:05.57]
those various ports first.
That's the easiest way. Umm, for
the sake of the demo we are
[00:12:10.40]
going to say those failed, uh
the the proxy is not configured
that badly. Um so since we can't
[00:12:16.20]
get through it that way our next
option is running Iodine; so we
do IP over DNS so I run Iodine,
[00:12:21.20]
[00:12:23.30]
I use the password I specified
earlier and I specify a DNS
packet-size just because it
[00:12:29.60]
makes it run faster and I get my
domain t.perimetergrid.com now
it will attempt to uh connect.
[00:12:36.20]
Normally we wouldn't use that
dash m, just used it to make the
demo run faster. It will auto
[00:12:39.97]
guess the size but it takes it a
couple of minutes to do it so
that speeds it along. And I do
[00:12:46.93]
an ifconfig and I now have this
new interface DNS zero which is,
it's pointing to 172.16.02 so I
[00:12:51.53]
ping 172.16.01. That is actually
my server being accessed through
the tunnel cos remember I'm on a
[00:12:53.53]
10. network; I shouldn't be able
to get to 172.16 so I'm going to
an SSH dash D uh set up for port
[00:12:55.60]
5000 and I'm going to login to
my own server using the tunnel
address 172.16.01. And now I'm
[00:13:00.40]
on my server. I'm going over,
completely over DNS so since
I've got that SOCKS proxy set
[00:13:04.33]
up, the next thing I want to do
is reconfigure my local web
browser and I'm going to tell it
[00:13:09.43]
manually proxy config, give it
SOCKS v4 proxy 127.0.0.1 port
5000 and now when I go back here
[00:13:14.43]
[00:13:42.67]
and I back out of this captive
portal, and I look for food, I
have found food!! So...
[00:13:47.67]
[00:13:57.23]
[audience applauds] Thank you.
Now if that hadn't worked we do
have one other option and that
[00:14:02.23]
[00:14:05.60]
is MAC spoofing. I'm running
this one on a Kali VM, uh,
because my Windows driver will
[00:14:10.30]
not let me get away with these
tricks. So uh I got, I got this
one using a USB wireless adapter
[00:14:15.30]
[00:14:17.33]
on Kali so wlan1, I'm going to
grab the uh MAC address of the
access point, this is the
[00:14:20.73]
hotspot network that I'm
connected to and I'm going to
Airomon-NG and turn on monitor
[00:14:23.37]
mode on my uh wifi card. Monitor
mode's now on so I will run
Airodump-NG and I will pass it
[00:14:28.97]
in, wlan one on and it will pass
in the MAC address of the
hotspot. That just makes it not
[00:14:33.97]
[00:14:37.77]
show me any other networks in
the area and only show me the
network I want. And I look, ah
[00:14:42.77]
[00:14:46.70]
look their client just connected
985FD3 etcetera. Um, normally I
would wait and see other clients
[00:14:50.87]
connect, see if one of them
drops off in this case, once
again for speed I'm going to
[00:14:56.77]
just break out of there and uh
on Linux it's really easy to
change your MAC address; it's
[00:15:02.47]
quite trivial, you just down the
interface and then run MAC
change or dash m and uh specify
[00:15:07.47]
[00:15:10.97]
the new MAC address and then
we're gonna up the interface
again and now we give it a good
[00:15:15.97]
[00:15:23.80]
30 seconds, because this seems
to confuse most of the uh most
of the Linux networking GUI
[00:15:28.60]
tools. [quietly to self] Um, try
connecting again. Ok now it
thinks it's connected so we're
[00:15:33.60]
[00:15:39.40]
gonna go back here and we're
out. So... [audience applauds]
Alright I'm at one minute left
[00:15:44.40]
[00:15:54.33]
so I can take like a question
but otherwise I'm going to be in
the hallway on the right to
[00:15:58.33]
answer any other questions
people have. So... got, anyone?
[pause] OK. Thank you. [audience
[00:16:03.33]
[00:16:13.00]
applauds]
[00:16:13.97]